MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49039b4b47513f22a7e396b57a73abe02b0032a09089e8fa68c94c0eae655d6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49039b4b47513f22a7e396b57a73abe02b0032a09089e8fa68c94c0eae655d6b
SHA3-384 hash: 27d66ae03950f4e07e98e199257edfac2ccaaa227ab29c38de38a54cf8d4d6a4f2b602fb3acbd64ed7411756c4d4abba
SHA1 hash: 850db92a1aea8c8a7ba5a940c9f9ab19c31ce9a4
MD5 hash: 3b2a532f5145a1e1a1d04daf8119caf1
humanhash: monkey-charlie-potato-california
File name:file.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:759'808 bytes
First seen:2024-12-31 08:13:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:C4doaeP1x88nMuJYvYExLntAtRozVeGv5zW/H+ao1aFzJLrujKw+/ZY:hdFeP1HMEYtLkweY5MLbzJX+D
Threatray 4'728 similar samples on MalwareBazaar
TLSH T157F412F81E55CE9BDC940B7005B2E3BE62765E9EC402C357CBEDECFB7A1165A1908290
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 22842ce6e0889204 (2 x RemcosRAT, 2 x SnakeKeylogger, 1 x VIPKeylogger)
Reporter abuse_ch
Tags:exe VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
403
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2024-12-31 08:19:08 UTC
Tags:
evasion snake keylogger telegram stealer
Link:
https://app.any.run/tasks/97092dbe-dbc8-400f-888b-55e9bf7043df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12817.3491.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6773a7cc1ada70779824bef0
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/6773a7cb027a5db46d248113/reports/4a4c74de-18dd-45be-bd47-2c08331d7ab1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/49039b4b47513f22a7e396b57a73abe02b0032a09089e8fa68c94c0eae655d6b
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f4d1388-bc91-4a03-9e06-9b49274808de
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582677
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/49039b4b47513f22a7e396b57a73abe02b0032a09089e8fa68c94c0eae655d6b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49039b4b47513f22a7e396b57a73abe02b0032a09089e8fa68c94c0eae655d6b/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-12-31 08:14:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jebzws2hke7sfj7ds22xu45l4avqamvasce6r6tizfga5ltflvvq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
5ffafbd40ac9b13b7376211d7251c3f325cf78fc74e89ef58dc2392983f36e45
VIPKeylogger
956d35ea5fc53269ca00d84d9f765ca6e7bb33e30eb376c54c94eebc4f5b7ef9
VIPKeylogger
bba1825bd893328442cb891a35420a5da41a5431d1ade643f085c5992e763d3a
VIPKeylogger
c081714907fc943cff0b637123039aff0237a226de4fb171cf430ed7c1da1163
VIPKeylogger
d398e0aca4c50720e795a3a819cb9f690060fd3dc214ac5b29b4f030392fcd69
VIPKeylogger
error
VIPKeylogger
+ 4'718 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/241231-j4zlpstncp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Verdict:
Suspicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/71048b10-623f-45af-bbf3-ac824455f3d8
Unpacked files
SH256 hash:
052752c153a38ed2aae5f92e8eb8f0cd9b7cdbba694148f39625b58c4401d68f
MD5 hash:
b3e0fad17ee88b27ac02252919747c11
SHA1 hash:
773940bb388333ad612d352b94d1063322891c80
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/94a256fd-c841-4563-8ce8-317930671b70/
SH256 hash:
a8e195ab2134e85724c9fcddf4a8259fd0123d478015174be2338522eff4ae2c
MD5 hash:
d3ed8f538922ebad0f96fba670eee3a8
SHA1 hash:
6d25914f1ae4705f22dda290c5418c19f25dcb06
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/94a256fd-c841-4563-8ce8-317930671b70/
Parent samples :
49039b4b47513f22a7e396b57a73abe02b0032a09089e8fa68c94c0eae655d6b
6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786
effc68899a8894822054617b45d79a9b94f7b756c6ce55d0682c1c7ed7f52e60
SH256 hash:
0e6c8fff9a28dae6ea41a7c1c1da4e78c64e5305154dc9c2508c103f5ab4c432
MD5 hash:
1a9ec5b159381deb14333044298adbbf
SHA1 hash:
0d684abbec550e5ad4673416bbc0e94f53a5a6cd
Link:
https://www.unpac.me/results/94a256fd-c841-4563-8ce8-317930671b70/
SH256 hash:
49039b4b47513f22a7e396b57a73abe02b0032a09089e8fa68c94c0eae655d6b
MD5 hash:
3b2a532f5145a1e1a1d04daf8119caf1
SHA1 hash:
850db92a1aea8c8a7ba5a940c9f9ab19c31ce9a4
Link:
https://www.unpac.me/results/94a256fd-c841-4563-8ce8-317930671b70/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49039b4b4751/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49039b4b47513f22a7e396b57a73abe02b0032a09089e8fa68c94c0eae655d6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments